Address:
Bagrationovskiy proezd, 7, blk 11, Moscow 121087, Russia
Email:
o.semenov@els24.com — for cooperation
What we have - we do not store, having lost - weep.
21/10/2019
What to do if you are constantly calling out unfamiliar companies and offers?
Leading lawyer of the European Legal Service Oleg Cherkasov told TASS how your data falls into the hands of attackers and what actions can be taken
Personal data of Beeline customers-home Internet users in 2017-were in the public domain as a result of the leak. Also in early October 2019, it became known that the darknet posted data of Sberbank customers.
WHAT IS PERSONAL DATA?
The personal data act, adopted in 2006, explains that it is "any information relating directly or indirectly to a defined or identifiable individual (personal data subject)."
Simply: these include all the data specified in your documents: name, date and place of birth, address, marital status, education, health and profession.
As well as biometric data-fingerprints, retina scan. The data written on your Bank card-too. And even what is openly indicated in your profile in any social network.
I OFTEN HEAR ABOUT PERSONAL DATA LEAKS. EXPLAIN WHAT'S GOING ON?
Leaks are a really big problem. Every year there are more of them.
In the first half of last year, there were 1,039 leaks of confidential information worldwide, up 12% from the first half of 2017, according to the InfoWatch think tank.
As a result, 2.39 billion records of personal and payment data — social security numbers, details of plastic cards-were compromised. 21 cases relate to megautechkam: as a result of each of them "leaked" more than 10 million records.
HOW DOES INFORMATION" LEAK"? AND WHO IS TO BLAME?
Differently.
Hackers hunt for data — they can use ransomware and hack corporate mail. But information can become publicly available by accident, negligence or malice of the employee.
Security researchers-those who look for security vulnerabilities-report unprotected cloud servers almost every day.
"Often, technicians forget to close free access to storage, compromise them due to incorrect settings when organizing collaboration," the InfoWatch report says.
AND WHAT HAPPENS TO COMPROMISED PERSONAL DATA?
Usually these bases are sold in the darknet (the "dark", illegal Internet is a part of the Internet, working on its protocols and algorithms to achieve maximum anonymity).
To make you understand what amounts we are talking about: in 2018, one of the forums for 8 bitcoins (the price of one bitcoin now — 418.1 thousand rubles) sold information about 70 million telegram users.
The most innocuous thing you can do with your data is sell it to companies that will call and offer products and services. And if the attackers received payment data-they can withdraw money from your account.
Sometimes personal data can be made public by just for fun. In 2017, there was a leak of data of the actors of "Game of thrones". Hackers have posted in sharing their phone numbers, home addresses, and e-mail. Other users temporarily took over the accounts of the production media company.
I WILL USE THE SERVICES OF LARGE AND RELIABLE COMPANIES. THEY WON'T LEAK.
It won't help.
In 2018 alone, the CIA, the FBI, the us Department of defense, the UK, the international Olympic Committee, the people's Bank of China suffered from data leaks, according to the InfoWatch report.
It was reported that the data of users of BitTorrent, GitHub, Skype, Tinder, WhatsApp, YouTube was compromised.
From which it follows that there are no invulnerable systems. All you can do for your safety is to follow the rules of tiberghien. Here you can read about how often to change passwords, where to store them, what you can not allow applications. "But not every leak can be prevented by the user," says Herman Namestnikov, an information security specialist. — Many of them are the fault of companies that do not provide sufficient data security. But you can minimize the risk by following these tips."
SOMEONE IS RESPONSIBLE FOR THE FACT THAT MY DATA IS "LEAKED"?
For companies that have leaked, there are penalties.
If a Russian company leaked as a result of a hacker attack, it may be subject to an administrative fine in accordance with article 13.11 of the administrative CODE "Violation of the legislation of the Russian Federation in the field of personal data".
"The fines range from 4 thousand to 10 thousand rubles for officials, from 10 thousand to 20 thousand rubles for individual entrepreneurs, from 25 thousand to 50 thousand rubles for legal entities," explains Ashot Hovhannisyan, founder of DeviceLock. — But in practice, Russia controls rather the formal side-the presence of regulations and other documents, and if they are in order, the company is not threatened in case of leakage."
And by the way, the punishment for Russian and European companies is very different. This, however, is only for now. There is a trend: worldwide requirements for the protection of personal data are becoming stricter.
"Since may 2018, the European Union has a strict regulation of personal data processing (GDPR), — continues Hovhannisyan. — There and requirements to data protection are formulated unambiguously, and penalties-to 4% of global revenue of the company. The GDPR is just beginning to take effect-the agencies responsible for its compliance are gaining experience, local legislation is being brought into line — the new norm is still far from being perfect."
For hackers, sanctions are provided in the Criminal code of the Russian Federation.
If the personal data included in the database were protected as a trade secret and were stolen by the sellers of the left databases, they should be responsible under article 183 of the criminal code "Illegal receipt and disclosure of information constituting a commercial, tax or banking secret", adds Stanislav Machikhin, head of the legal Department of SearchInform. The maximum penalty is imprisonment for up to seven years.
"And do not forget about article 137 of the criminal code, which prohibits the illegal collection or dissemination of information about the private life of a person constituting his personal or family secret, without his consent," says Machikhin.
I GET CALLS FROM UNFAMILIAR COMPANIES OFFERING SERVICES. HOW DID THEY GET MY CONTACTS? AND I WANT TO STOP IT.
Base with your contacts could buy on the black market. Or legally take from the company that you have authorized to process your data when you receive a customer card or register on the site. Perhaps, by signing the contract, you have allowed not only to process, but also to transfer your contacts to third parties.
By the way, you can withdraw your consent to the processing of personal data from any company. However, not the fact that you will be able to stop Intrusive calls and SMS. One company can transfer information about you not only to two or three partners, but to dozens of contractors. In addition, the operator has the right to use them at least until the end of the contract. You can read more about this in our experiment (three TASS editors understood what companies do with their data).
"We can transfer our personal data to several companies for processing in one day," says Oleg Cherkasov, a leading lawyer at the European legal service. "It is almost impossible to establish who made the leak."
But if your data is illegally transferred and you somehow were able to establish this fact, the perpetrators will be punished with fines under Art. 13.14 of the administrative Code. Fines-up to 50 thousand rubles for legal entities. And if the client base was sold by managers, they face a fine of up to 5 thousand rubles.
"For the operator, there may be consequences of a civil nature," Cherkasov adds. - A person who believes that his rights have been violated, can claim compensation for moral damage, property damage and losses."
WHEN WILL THE SITUATION CHANGE? WILL THERE BE LAWS AND SERVICES TO HELP KEEP TRACK OF HOW MY DATA IS BEING USED?
In the next two or three years, according to the plan of the state program "Digital economy", reforms will take place.
For example: now you may not know that information about you "leaked", say, from the Bank as a result of a cyber attack. The Bank is not obliged to inform you about this. Although you can request information on an individual basis: what happened to your personal data that you have allowed to be processed, whether everything is OK with them. But as mentioned above, it's hard to remember where you left your contacts at all.
It is assumed that there will be convenient services with which you can quickly check: who has information about you, how it is used, where it was transferred. There you can also revoke the permission to process your data. Experts, however, recognize that these reforms are extremely difficult to implement from the technical side.
Leading lawyer of the European Legal Service Oleg Cherkasov told TASS how your data falls into the hands of attackers and what actions can be taken
Personal data of Beeline customers-home Internet users in 2017-were in the public domain as a result of the leak. Also in early October 2019, it became known that the darknet posted data of Sberbank customers.
WHAT IS PERSONAL DATA?
The personal data act, adopted in 2006, explains that it is "any information relating directly or indirectly to a defined or identifiable individual (personal data subject)."
Simply: these include all the data specified in your documents: name, date and place of birth, address, marital status, education, health and profession.
As well as biometric data-fingerprints, retina scan. The data written on your Bank card-too. And even what is openly indicated in your profile in any social network.
I OFTEN HEAR ABOUT PERSONAL DATA LEAKS. EXPLAIN WHAT'S GOING ON?
Leaks are a really big problem. Every year there are more of them.
In the first half of last year, there were 1,039 leaks of confidential information worldwide, up 12% from the first half of 2017, according to the InfoWatch think tank.
As a result, 2.39 billion records of personal and payment data — social security numbers, details of plastic cards-were compromised. 21 cases relate to megautechkam: as a result of each of them "leaked" more than 10 million records.
HOW DOES INFORMATION" LEAK"? AND WHO IS TO BLAME?
Differently.
Hackers hunt for data — they can use ransomware and hack corporate mail. But information can become publicly available by accident, negligence or malice of the employee.
Security researchers-those who look for security vulnerabilities-report unprotected cloud servers almost every day.
"Often, technicians forget to close free access to storage, compromise them due to incorrect settings when organizing collaboration," the InfoWatch report says.
AND WHAT HAPPENS TO COMPROMISED PERSONAL DATA?
Usually these bases are sold in the darknet (the "dark", illegal Internet is a part of the Internet, working on its protocols and algorithms to achieve maximum anonymity).
To make you understand what amounts we are talking about: in 2018, one of the forums for 8 bitcoins (the price of one bitcoin now — 418.1 thousand rubles) sold information about 70 million telegram users.
The most innocuous thing you can do with your data is sell it to companies that will call and offer products and services. And if the attackers received payment data-they can withdraw money from your account.
Sometimes personal data can be made public by just for fun. In 2017, there was a leak of data of the actors of "Game of thrones". Hackers have posted in sharing their phone numbers, home addresses, and e-mail. Other users temporarily took over the accounts of the production media company.
I WILL USE THE SERVICES OF LARGE AND RELIABLE COMPANIES. THEY WON'T LEAK.
It won't help.
In 2018 alone, the CIA, the FBI, the us Department of defense, the UK, the international Olympic Committee, the people's Bank of China suffered from data leaks, according to the InfoWatch report.
It was reported that the data of users of BitTorrent, GitHub, Skype, Tinder, WhatsApp, YouTube was compromised.
From which it follows that there are no invulnerable systems. All you can do for your safety is to follow the rules of tiberghien. Here you can read about how often to change passwords, where to store them, what you can not allow applications. "But not every leak can be prevented by the user," says Herman Namestnikov, an information security specialist. — Many of them are the fault of companies that do not provide sufficient data security. But you can minimize the risk by following these tips."
SOMEONE IS RESPONSIBLE FOR THE FACT THAT MY DATA IS "LEAKED"?
For companies that have leaked, there are penalties.
If a Russian company leaked as a result of a hacker attack, it may be subject to an administrative fine in accordance with article 13.11 of the administrative CODE "Violation of the legislation of the Russian Federation in the field of personal data".
"The fines range from 4 thousand to 10 thousand rubles for officials, from 10 thousand to 20 thousand rubles for individual entrepreneurs, from 25 thousand to 50 thousand rubles for legal entities," explains Ashot Hovhannisyan, founder of DeviceLock. — But in practice, Russia controls rather the formal side-the presence of regulations and other documents, and if they are in order, the company is not threatened in case of leakage."
And by the way, the punishment for Russian and European companies is very different. This, however, is only for now. There is a trend: worldwide requirements for the protection of personal data are becoming stricter.
"Since may 2018, the European Union has a strict regulation of personal data processing (GDPR), — continues Hovhannisyan. — There and requirements to data protection are formulated unambiguously, and penalties-to 4% of global revenue of the company. The GDPR is just beginning to take effect-the agencies responsible for its compliance are gaining experience, local legislation is being brought into line — the new norm is still far from being perfect."
For hackers, sanctions are provided in the Criminal code of the Russian Federation.
If the personal data included in the database were protected as a trade secret and were stolen by the sellers of the left databases, they should be responsible under article 183 of the criminal code "Illegal receipt and disclosure of information constituting a commercial, tax or banking secret", adds Stanislav Machikhin, head of the legal Department of SearchInform. The maximum penalty is imprisonment for up to seven years.
"And do not forget about article 137 of the criminal code, which prohibits the illegal collection or dissemination of information about the private life of a person constituting his personal or family secret, without his consent," says Machikhin.
I GET CALLS FROM UNFAMILIAR COMPANIES OFFERING SERVICES. HOW DID THEY GET MY CONTACTS? AND I WANT TO STOP IT.
Base with your contacts could buy on the black market. Or legally take from the company that you have authorized to process your data when you receive a customer card or register on the site. Perhaps, by signing the contract, you have allowed not only to process, but also to transfer your contacts to third parties.
By the way, you can withdraw your consent to the processing of personal data from any company. However, not the fact that you will be able to stop Intrusive calls and SMS. One company can transfer information about you not only to two or three partners, but to dozens of contractors. In addition, the operator has the right to use them at least until the end of the contract. You can read more about this in our experiment (three TASS editors understood what companies do with their data).
"We can transfer our personal data to several companies for processing in one day," says Oleg Cherkasov, a leading lawyer at the European legal service. "It is almost impossible to establish who made the leak."
But if your data is illegally transferred and you somehow were able to establish this fact, the perpetrators will be punished with fines under Art. 13.14 of the administrative Code. Fines-up to 50 thousand rubles for legal entities. And if the client base was sold by managers, they face a fine of up to 5 thousand rubles.
"For the operator, there may be consequences of a civil nature," Cherkasov adds. - A person who believes that his rights have been violated, can claim compensation for moral damage, property damage and losses."
WHEN WILL THE SITUATION CHANGE? WILL THERE BE LAWS AND SERVICES TO HELP KEEP TRACK OF HOW MY DATA IS BEING USED?
In the next two or three years, according to the plan of the state program "Digital economy", reforms will take place.
For example: now you may not know that information about you "leaked", say, from the Bank as a result of a cyber attack. The Bank is not obliged to inform you about this. Although you can request information on an individual basis: what happened to your personal data that you have allowed to be processed, whether everything is OK with them. But as mentioned above, it's hard to remember where you left your contacts at all.
It is assumed that there will be convenient services with which you can quickly check: who has information about you, how it is used, where it was transferred. There you can also revoke the permission to process your data. Experts, however, recognize that these reforms are extremely difficult to implement from the technical side.